[libdvdcss-devel] [PATCH] crash in dvdcss_open

Discussion:

[libdvdcss-devel] [PATCH] crash in dvdcss_open

Diego Biurrun

2007-07-13 16:43:42 UTC

We have received bug reports of libdvdcss-related crashes in MPlayer:

http://bugzilla.mplayerhq.hu/show_bug.cgi?id=845
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=860

The problem appears to be a stack overrun in dvdcss_open. Ivan
Kalvachev committed a fix with the following log message to MPlayer:

Fix crash on some DVDs
sprintf(tmp,"%.02x",(char)0xef); would print "ffffffef" instead of "ef",
in this case this leads to local array buffer overflow and hard to trace stack corruption.
The quick, easy & durty solution is to use (unsigned char) or (uint8_t)
Fixes Bugzilla 860 & 845

I'm attaching the patch for your consideration.

Diego

Diego Biurrun

2007-07-29 14:08:22 UTC

Post by Diego Biurrun
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=845
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=860
The problem appears to be a stack overrun in dvdcss_open. Ivan
Fix crash on some DVDs
sprintf(tmp,"%.02x",(char)0xef); would print "ffffffef" instead of "ef",
in this case this leads to local array buffer overflow and hard to trace
stack corruption.
The quick, easy & durty solution is to use (unsigned char) or (uint8_t)
Fixes Bugzilla 860 & 845
I'm attaching the patch for your consideration.

Patched
Was there another one ?

Yes, we have another patch in our copy of libdvdcss, but we are not yet
completely sure what to make of it...

Diego

1 Reply
1 View
Permalink to this page
Disable enhanced parsing

Thread Navigation

Diego Biurrun 2007-07-13 16:43:42 UTC

Diego Biurrun 2007-07-29 14:08:22 UTC

about - legalese

Loading...